"The Month of Apple bugs" begins, rationality surrenders

"Instead, I'll promise to stomp my feet about this 'project' as little as possible,as we at TUAW would rather focus on the positive."

Sure you put your head in the sand, I'll help out and put my fingers in my ears and sing "I CAN'T HEAR YOU!!!"

I swear some of the dumbest people on earth are yapping here. Security is not something you just throw into an inbox and hope somebody gets to. I bet if someone could die from one of these exploits you wouldn't be complaining about these guys. Another Thing! - Full Disclosure is nothing you should be able to disagree with. How about I censor your paycheck. If there is a bug Apple needs to fix the crap no questions asked. I don't care if a million people know how to exploit it...the shits still broken. Fix it. Just because you don't understand something is no blank check for your complaints about someone saying hey look this crap don't work. thats the same reason Windows XP is so crappy. Its easier for a million people to complain than it is to get them to complain to the right people to get an issue resolved.

As a coder by trade, I gottta disagree with you here Dave, and here is why:

Apple let 10.2/10.3 sit out here with a HUGE SECURITY HOLE that was WELL KNOWN to pretty much everyone that I know that codes on MacOS (and when i say huge, i mean really really bad security/perms on an important dir that could run *anything* as superuser on boot without so much as a "you sure?") and this huge gaping hole wasn't fixed until late into the 10.3 cycle.

Additionally, any time an app can be exploited to allow access to memory for a malicious payload normally forbidden to it, then yes, its an OS security problem.

Security via obscurity is NOT security.

But wait...there is more!

Look around the net...apple has a reputation for handling security researchers...poorly. I don't know if its inexperience dealing with this sector, image, damage control, or whatever, but its been going on for *years*...do we think ALL of these people have a bone to pick/are hopped up on HaterAide?

I think not.

Apple is known to be a very one-way/one-sided "partner" when dealing with them on levels most customers/"users" are not exposed to...enter into any kind of B2B relationship with them and you'll see what I mean.

And, given this reputation, I honestly have no reason to believe that if these guys wrote up a nice paper, sent it all to Apple with Happy Hats and Sunshine Smiles and never mentioned a word of it that Apple would immediately look into the issues with zeal and urgency.

Now, to paraphrase Chris Rock..."I don't agree with these guys...but I understand."

What I *don't* understand tho is this whole "shoot the messenger" vibe. I mean these guys aren't *breaking* the system they are pointing to the holes, and to diffuse the usual Mac Web mantra of "its not a real problem/there is no proof" etc, well, its right there now isn't it.

What's REALLY sad is a former Apple engineer using a patch trapping Input Manager run-around hack to fix these holes...the irony of it all :)

I'm normally an enthusiastic reader of TUAW, but this post reeks of Apple fanboy-ism. As a software developer I do not see this project as trying to spread FUD about Apple products, nor does it seem motivated in the least by any brand-loyalty (or disloyalty).

These guys found bugs, security exploits that may or may not be known to third parties as it is. We cannot expect Apple to roll out fixes for these overnight, nor can we expect them to publish third-party fixes through officially-endorsed means. Exposing these problems to the public allows both Apple a means to fix these problems, as well as opening the door to short-term fixes that can reduce all of our vulnerabilities.

OSX isn't perfect, and Apple isn't the pious good-boy of the tech world that some people on TUAW seem to think it is. They will hem and haw about certain bugs that ought to be fixed, and they will deflect public knowledge away from certain exploits that are too embarrassing to admit. Transparency about these subjects can only help, and light a fire under Apple's arse to get it fixed.

"*Full disclosure to Apple* Jordan, the people who can **do** something about these problems."

Full Disclosure means everybody gains knowledge of the bug, not just the vendor.

Full disclosure is a heavily debated topic in security circles and I'm disappointed to see TUAW take such a black and white position.

Full disclosure allows the public to take proactive measures to secure their systems in other ways. Perhaps by shutting down the service, or removing the software entirely. One common argument for full disclosure is that the black-hats already know about the exploit; the public is better served by being informed. One common argument against full disclosure is that most people lack the skills or money or time or resources to secure their own systems, so they are better off when fewer people know of the exploit. There are plenty of other arguments as well including vendor pressure, public awareness, third party assistance, legal liability, etc.

I'm disappointed that TUAW has taken this very single-minded view that the experts who believe in full disclosure are in it for the infamy, or to massage their egos, or that the whole exercise is assinine, or that the idea of full disclosure is irrational. An IT security conference I attended recently debated the merits of full disclosure and there was no consensus. This is not a trivial topic and there is no need to demean these researchers just because you have a difference of opinion.

Wow, Quicktime and now VLC? Like Paris Hilton, they should start off with a big one (e.g. her "home video") and then raise attention once in a while (like showing Paris showing her crotch). That's how you keep people interested. Build a reputation first. So far, it's boring.

#20:

FACTS:
- No one is disputing whether *finding bugs and security flaws* is a bad thing; obviously it's a good thing because *someone* can use them to make the software better.
- No one, and I mean no one, has explained how *widely publicizing and hyping* these flaws does any more good than submitting them to Apple and relevant 3rd party devs.
- All this is doing is putting code exploits into the hands of malicious people who want to do malicious things with them.

FACTS:
- A bug is not a security hole.
- There are a lot more than 31 bugs in OS X.
- This will help Apple make a more stable OS X in the long run.

What bothers me the most is the fact that they're calling this the "Month of Apple Bugs" to gain headlines when it clearly isn't. I don't know how they can justify posting bugs for other software...... oh wait, there aren't enough bugs in Apple software to fill the whole month. But never mind, calling it the Month of Apple Bugs will get more headlines.

Btw, what's the point of a publicity stunt if you remain anonymous?

#12: *Full disclosure to Apple* Jordan, the people who can **do** something about these problems. No one, and I mean no one, has provided a legitimate, positively productive reason for unleashing this information on an audience that includes people who don't understand what's going on here, as well as those who *do* and can use this information for malicious purposes. Apple can fix these problems. Unless you are, for example, the QuickTime engineer who slipped up and created the problem they posted on their first day, there is absolutely no reason for you to have 'full disclosure' on what it actually is. A solution or a workaround to plug the leak it causes, sure, but not the whole 9.